NSE4_FGT-7.2 Free Practice Test

Examine this output from a debug flow:

Why did the FortiGate drop the packet?

1. A. The next-hop IP address is unreachable.
2. B. It failed the RPF check .
3. C. It matched an explicitly configured firewall policy with the action DENY.
4. D. It matched the default implicit firewall policy.

Correct Answer: D
https://kb.fortinet.com/kb/documentLink.do?externalID=13900 https://www.fortinetguru.com/2016/03/what-is-policy-id-0-and-why-lot-of-denied-traffic-on-this-policy/

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

1. A. Virtual IP addresses are used to distinguish between cluster members.
2. B. Heartbeat interfaces have virtual IP addresses that are manually assigned.
3. C. The primary device in the cluster is always assigned IP address 169.254.0.1.
4. D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Correct Answer: AD
Fortigate Infrastructure 7.2 Study Guide page 301 FortiGate Infrastructure 7.2 Study Guide (p.301):
"FGCP automatically assigns the heartbeat IP addresses based on the serial number of each device. The IP address 169.254.0.1 is assigned to the device with the highest serial number."
"A change in the heartbeat IP addresses may happen when a FortiGate device joins or leaves the cluster." "The HA cluster uses the heartbeat IP addresses to distinguish the cluster members and synchronize data." https://networkinterview.com/fortigate-ha-high-availability/

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

1. A. VDOMs without ports with connected devices are not displayed in the topology.
2. B. Downstream devices can connect to the upstream device from any of their VDOMs.
3. C. Security rating reports can be run individually for each configured VDOM.
4. D. Each VDOM in the environment can be part of a different Security Fabric.

Correct Answer: A
FortiGate Security 7.2 Study Guide (p.436): "When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric, each VDOM with its assigned ports is displayed when one or more devices are detected. Only the ports with discovered and connected devices appear in the Security Fabric view and, because of this, you must enable Device Detection on ports you want to have displayed in the Security Fabric. VDOMs without ports with connected devices are not displayed. All VDOMs configured must be part of a single Security Fabric."

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

1. A. To detect intermediary NAT devices in the tunnel path.
2. B. To dynamically change phase 1 negotiation mode aggressive mode.
3. C. To encapsulation ESP packets in UDP packets using port 4500.
4. D. To force a new DH exchange with each phase 2 rekey.

Correct Answer: AC

Which statement describes a characteristic of automation stitches?

1. A. They can have one or more triggers.
2. B. They can be run only on devices in the Security Fabric.
3. C. They can run multiple actions simultaneously.
4. D. They can be created on any device in the fabric.

Correct Answer: C
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/351998/creating-automation-stitches